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TECHNIQUE FOR MMNTAINING SECURE NETWORK CONNECTIONS 



FIELD OF THE INVENTION 

The present invention relates generally to 
5 telecommunications and, more particularly, to a technique for 
maintaining secure network connections. 



BACKGROUND OF THE INVENTION 

IP Security (IPsec) is a security architecture for internet 
10 protocol (IP) that includes a set of protocols developed by the 
Internet Engineering Task Force (IETF) to support secure 
exchange of packets at the IP layer. IPsec provides security 
services by enabling a system to select required security 
protocols, determine the algorithm(s) to use for the service (s), 
15 and put in place any cryptographic keys required to provide the 
requested services. IPsec uses two protocols to provide traffic 
security: Authentication Header (AH) and Encapsulating Security 
Payload (ESP) . For IPsec to work, the sending and receiving 
devices typically share a public key which is handled through 
20 the Internet Security Association and Key Management Protocol 
(ISAKMP) . 

A Security Association (SA) is a security-protocol-specific 
set of parameters that completely defines the services and 
mechanisms necessary to protect traffic at that security 
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protocol location. These parameters typically include algorithm 

identifiers, modes, cryptographic keys, etc. An SA is often 

referred to by its associated security protocol (for example, 

"ISAKMP SA", "ESP SA"). 

5 At the initiation of a secure connection between two 

network elements, they must first negotiate an ISAKMP SA to 

protect their further negotiations. This ISAKMP SA is then used 

in negotiating Protocol SA's. During the negotiation and 

establishment of Protocol SA's, a security parameter index (SPI) 

10 is generated for each SA. The negotiated SA's are typically 
stored in a security association database (SAD) , and an SPI is 
used together with a destination IP address and a security 
protocol to uniquely identify an SA. Another database typically 
maintained by an IPsec-enabled element is a security policy 

15 database (SPD) which specifies the policies concerning 
disposition of all IP packets. Each IPsec-enabled interface 
typically maintains separate inbound and outbound databases (SPD 
and SAD) . 

In a wireless local area network (WLAN) , which has become 
20 more and more popular, it is not uncommon for a mobile user to 
roam among different subnets or from one geographic area to 
another using different IP addresses. It has become 

increasingly desirable to support the ability of maintaining 
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secure connections without loss of data while a mobile client 

experiences a change of IP address. However, current IPsec 

architecture does not support such an IP address change without 

terminating the old connection and re-establishing a new one. 

As a result, a roaming client would encounter inevitable network 

service disruptions, which is not only inconvenient for the 

client but also burdensome for the network due to overhead costs 

from repeated security negotiations. 

One solution to the loss-of-connection problem is to adopt 
Mobile IP in an IPsec implementation. With this solution, a 
mobile client is assigned a relatively permanent Mobile IP 
address in its home network. When roaming into a foreign 
network, the client obtains a care-of IP address from a foreign 
agent and communicates with the rest of the world through the 
foreign agent. As shown in Figure 1, when it roams from Network 
1 to Network 2, the mobile client has to maintain double 
tunneling to the Security Server in order not to lose 
connection. Mobile IP with double tunneling is highly 

inefficient and can be especially problematic for a resource- 
limited mobile unit. In addition, it takes considerable 
development effort to implement Mobile IP. 

In view of the foregoing, it would be desirable to provide 
a mobility solution which overcomes the above-described 
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inadequacies and shortcomings. 

SUMMARY OF THE INVENTION 

According to the present invention, a technique for 
5 maintaining secure network connections is provided. In one 
particular exemplary embodiment, the technique may be realized 
as a method for maintaining secure network connections. The 
method may comprise detecting a change of address associated 
with a first network element. The method may also comprise 

10 updating at least one first security configuration at the first 
network element. The method may further comprise transmitting 
at least one secure message from the first network element to a 
second network element, wherein the at least one secure message 
comprises information associated with the change of address. 

15 And the method may comprise updating at least one second 
security configuration at the second network element based at 
least in part on the at least one secure message. 

In accordance with other aspects of this particular 
exemplary embodiment of the present invention, a lookup of 

20 security associations may be not dependent on any destination 
address . 

In accordance with further aspects of this particular 
exemplary embodiment of the present invention, the first network 
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element may be a mobile client and the second network element 

may be a security gateway. 

In accordance with still further aspects of this particular 

exemplary embodiment of the present invention, the first network 

5 element and the second network element may be part of a virtual 

private network (VPN) . 

In accordance with additional aspect of this particular 

exemplary embodiment of the present invention, communications 

between the first network element and the second network element 

10 may be based on a security architecture for the internet 

protocol (IPsec) . At least part of the communications between 

the first network element and the second network element may be 

based on an internet security association and key management 

protocol (ISAKMP) . The second network element may identify at 

15 least one security association based on at least one cookie 

field in the at least one secure message. 

In another particular exemplary embodiment, the technique 

may be realized by at least one signal embodied in at least one 

carrier wave for transmitting a computer program of instructions 

20 configured to be readable by at least one processor for 

instructing the at least one processor to execute a computer 

process for performing the method as recited above. 

In yet another particular exemplary embodiment, the 
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technique may be realized by at least one processor readable 

carrier for storing a computer program of instructions 

configured to be readable by at least one processor for 

instructing the at least one processor to execute a computer 

5 process for performing the method as recited above. 

In still another particular exemplary embodiment, the 

technique may be realized as a method for maintaining secure 

network connections. The method may comprise duplicating, 

between a second network element and a third network element, 

10 information associated with a secure network connection between 
a first network element and the second network element, wherein 
a lookup of security associations associated with the secure 
network connection is not dependent on any destination address. 
The method may also comprise replacing the second network 

15 element with the third network element in the secure network 
connection with the first network element. The method may 
further comprise sending at least one secure message from the 
third network element to the first network element. 

In a further particular exemplary embodiment, the technique 

20 may be realized as a method for maintaining secure network 
connections. The method may comprise configuring a plurality of 
security gateways such that a lookup of security associations is 
not dependent on any destination address. The method may 
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further comprise sharing at least one security association among 

the plurality of security gateways. 

In a still further particular exemplary embodiment, the 

technique may be realized by a system for maintaining secure 

5 network connections. The system may comprise means for 

detecting a change of address associated with a first network 

element, means for updating at least one first security 

configuration at the first network element, means for 

transmitting at least one secure message from the first network 

10 element to a second network element, wherein the at least one 
secure message comprises information associated with the change 
of address, and means for updating at least one second security 
configuration at the second network element based on the at 
least one secure message. 

15 The present invention will now be described in more detail 

with reference to exemplary embodiments thereof as shown in the 
accompanying drawings. While the present invention is described 
below with reference to exemplary embodiments, it should be 
understood that the present invention is not limited thereto. 

20 Those of ordinary skill in the art having access to the 
teachings herein will recognize additional implementations, 
modifications, and embodiments, as well as other fields of use, 
which are within the scope of the present invention as disclosed 
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and claimed herein, and with respect to which the present 

invention could be of significant utility. 



BRIEF DESCRIPTION OP THE DRAWINGS 

5 In order to facilitate a fuller understanding of the 

present invention, reference is now made to the accompanying 
drawings, in which like elements are referenced with like 
numerals. These drawings should not be construed as limiting 
the present invention, but are intended to be exemplary only. 
10 Figure 1 is a schematic illustration of a Mobile IP 

solution adopted in prior arts. 

Figure 2 is a flow chart illustrating an exemplary method 
for maintaining secure network connections in accordance with an 
embodiment of the present invention. 
15 Figure 3 is an illustration of an exemplary IPsec packet in 

accordance with an embodiment of the present invention. 

Figure 4 is a block diagram illustrating an exemplary 
system for maintaining secure network connections in accordance 
with an embodiment of the present invention. 
20 Figure 5 is a block diagram illustrating an exemplary 

implementation of High Availability in accordance with an 
embodiment of the present invention. 

Figure 6 is a block diagram illustrating an exemplary 
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implementation of Group Mode Security in accordance with an 

embodiment of the present invention. 



DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENT (S) 

5 For illustration purposes, the technique for maintaining 

secure network connections in accordance with the present 
invention will be described below with specific reference to 
IPsec in tunnel mode. However, it should be appreciated that 
the technique is applicable to any secure network protocols 

10 regardless of the mode of operation. As used hereinafter, a 
''security gateway" refers to any intermediate or terminal 
system, such as a router, a firewall or a server, that 
implements IPsec protocols. A ''mobile client" refers to a 
remote user or unit that communicates with a security gateway 

15 using IPsec protocols. One or more security gateways and mobile 
clients may form a security network system. 

Referring to Figure 2, there is shown a flow chart 
illustrating an exemplary method for maintaining secure network 
connections in accordance with an embodiment of the present 

20 invention. 

In step 200, Security Association (SA) lookup may be made 
independent of destination IP address system-wide. 

In the context of IPsec in tunnel mode, an IPsec-processed 
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packet typically has a format as illustrated in Figure 3. The 

packet contains an Outer IP Header, an IPsec Header, an Inner IP 

Header and Other Data. The Inner IP Header, which contains the 

original source and destination addresses, and Other Data (e.g., 

5 payloads) are protected with encryption. The information 

associated with the encryption and authentication is contained 

in the IPsec Header. And the Outer IP Header contains source 

and destination addresses for the tunnel endpoints. For inbound 

processing, a security gateway will use the destination IP 

10 address in the Outer IP Header, together with the Security 
Parameter Index (SPI) and the type of protocol as indicated in 
the IPsec Header, to look up the appropriate SA(s) in a local SA 
Database (SAD) . The appropriate SA or SA bundles are then used 
in authenticating and decrypting the packet. 

15 When SA lookup is made independent of destination IP 

address, SPI may be used to uniquely identify an SA within a 
protocol. This system-wide change may offer a number of 
advantages. For example, since inbound processing is no longer 
dependent on destination IP address, the change of outer IP 

20 address would not affect a security gateway's ability to locate 
the correct SA(s) . Further, with the removal of dependency on 
destination IP address, the same SA may be shared among multiple 
IPsec tunnels and multiple nodes in a group. The resulting High 
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Availability and Group Mode Security will be described in more 

detail below. 

In step 202, a mobile client may detect its own IP address 
change. As a mobile client moves into a different network or 
5 geographic area, its IP address may change to a different value. 
The change of address may also result from a switch of network 
adapters, e.g., from a WLAN to a LAN card or vice versa. As the 
mobile client detects the change, it may keep a record of the 
new address as well as the old address. 

10 In step 204, the mobile client may update its own ISAKMP 

SAs and IPsec SAs with the new IP address. 

Next, in step 206, the mobile client may use a current 
ISAKMP SA to send a NOTIFY message to a security gateway with 
whom the client has been maintaining a secure connection. The 

15 NOTIFY message may contain at least the client's old IP address 
and new IP address. The NOTIFY message may also include a 
sequence number to ensure reliable delivery and detection of 
duplicate packets. The contents of the NOTIFY message are 
securely protected by the ISAKMP SA encryption. The ISAKMP 

20 NOTIFY message may be subject to the same retry and timeout of 
other ISAKMP messages. 

In step 208, upon receiving the NOTIFY message, the 
security gateway may locate the appropriate ISAKMP SA based on 
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the cookie fields in the ISAKMP header. The cookie fields 

uniquely identify the SA associated with the NOTIFY message. 

The appropriate SA may then be applied to process the secure 

NOTIFY message to extract the old and new IP addresses. 

5 In step 210, the security gateway may then update its SADs 

based on the old and new IP addresses of the mobile client. 

According to embodiments of the invention, it may be more 

desirable to update the security gateway' s SADs based on a 

secure NOTIFY message from the mobile client rather than based 

10 on inbound data with the new IP address. To update the outbound 
SAD or ISAKMP SAs using an outer IP header may expose the 
security gateway to denial of service (DoS) attacks since the 
outer IP header is not protected by integrity check such as 
Hashed Message Authentication Code (HMAC) . Further, the 

15 security gateway might need to forward data to the client before 
any inbound data is received. 

In step 212, after the security gateway is updated with the 
new IP address of the mobile client, the IPsec connection may be 
maintained. IP traffic can continue flowing in both directions 

20 between them without disruption. Once the mobile client receives 
data packets destined to the new IP address, it will know that 
the update of new IP address has succeeded. 

Referring now to Figure 4, there is shown a block diagram 
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illustrating an exemplary system (400) for maintaining secure 

network connections in accordance with an embodiment of the 

present invention. The System 400 may be any network element 

(e.g., a remote unit, router or server) that implements IPsec 

5 protocols. The System 400, typically comprises a processor 

module 402, a storage module 404 and a transceiver module 406. 

The processor module 402 may be a central processing unit (CPU), 

micro-controller, digital signal processing (DSP) unit, or 

computer with packet-processing and hardware-control functions. 

10 The storage module 404 may be a storage device, such as a 
semiconductor memory, nonvolatile memory, hard drive disk, CD- 
ROM or similar, that is accessible by the processor module 402. 
Storage module 404 may hold data records including SADs, SPDs, 
and IP addresses, etc. The transceiver module 406 may be 

15 capable of transmitting and receiving data packets. In 
operation, the processor module 402 may follow the IPsec 
protocols including ISAKMP in accordance with the exemplary 
method described above. System 400 depicts the typical 
components of either a mobile client or a security gateway. As 

20 a mobile client, the processor module 402 may detect its IP 
address change, store the old and new addresses in the storage 
module 404, update the local SADs with the new address, and send 
an ISAKMP NOTIFY message, via the transceiver module 406, to a 
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security gateway. As a security gateway, the processor module 

402 may receive the ISAKMP NOTIFY message via the transceiver 

module 406, look up the ISAKMP SA in the storage module 404 

based on the cookie pairs in the NOTIFY message, decrypt the 

5 message with the ISAKMP SA, and Nupdate the local SADs based on 

the old and new IP addresses. 

As mentioned above, removal of dependency on destination IP 

address makes it possible to achieve High Availability and Group 

Mode Security. These two implementations are described in 

10 connection with Figures 5 and 6. 

Figure 5 is a block diagram illustrating an exemplary 
implementation of High Availability in accordance with an 
embodiment of the present invention. In Figure 5, there is 
shown a Mobile Client 500 maintaining a secure connection with a 

15 Security Server 502 via an IPsec Tunnel 52. When the IPsec 
connection is established between Mobile Client 500 and Security 
Server 502, a copy of the IPsec SAs and the ISAKMP SAs may be 
sent via a secure path 56 to a Security Server 504. During the 
life of the connection between Client 500 and Server 502, any 

20 changes in their security configurations may be securely 
duplicated to Server 504. In the same time. Server 504 may 
constantly monitor the operations of Server 502. When Server 
502 fails. Server 504 may send an ISAKMP NOTIFY message to 
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Client 500 indicating the connection will be taken over by 

Server 504. Since Server 504 is up-to-date with all the 

security information concerning the connection between Client 

500 and Server 502, Client 500 will be able to decrypt the 

5 NOTIFY message and start forwarding traffic to Server 504 

without re-establishing an IPsec connection. And since there is 

no SA dependency on destination IP address. Server 504 should be 

able to communicate with Client 500 via IPsec Tunnel 54 in 

exactly the same way as Server 502 did. As a result. Client 500 

10 may experience minimal impact due to failure of Server 502. 

Figure 6 is a block diagram illustrating an exemplary 
implementation of Group Mode Security in accordance with an 
embodiment of the present invention. Current IPsec is a point- 
to-point model. With the SA dependency on destination IP 

15 addresses, each connection between any two nodes has to be 
individually configured. For a system with N nodes, N being an 
integer, a total of N*(N-l)/2 connections must be configured. 
As the number of nodes increases, the number of connections that 
have to be individually configured may increase very quickly. 

20 For example, for an organization with four branch offices, as 
shown in Figure 6, a total of six connections among the four 
security servers (A through D) must be configured. For a system 
with 8 nodes, 28 connections are to be configured. However, 
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with the removal of dependency on destination IP address, the 

same SA may be shared among multiple nodes in a group. Any 

traffic sent among the group nodes may be protected using the 

same SA. This may make configurations of a large number of 

5 branch offices much easier. 

Functionalities in accordance with the above-described 

exemplary method may be achieved without physical modification 

to existing network hardware. Instead, the mobility solution in 

accordance with the present invention may be implemented through 

10 software and/or firmware upgrades. 

At this point it should be noted that the technique for 
maintaining secure network connections in accordance with the 
present invention as described above typically involves the 
processing of input data and the generation of output data to 

15 some extent. This input data processing and output data 
generation may be implemented in hardware or software. For 
example, specific electronic components may be employed in a 
computer and/or communications network or similar or related 
circuitry for implementing the functions associated with the 

20 mobility solution in accordance with the present invention as 
described above. Alternatively, one or more processors 

operating in accordance with stored instructions may implement 
the functions associated with maintaining secure network 
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connections in accordance with the present invention as 

described above. If such is the case, it is within the scope of 

the present invention that such instructions may be stored on 

one or more processor readable carriers (e.g., a magnetic disk), 

5 or transmitted to one or more processors via one or more 

signals . 

The present invention is not to be limited in scope by the 
specific embodiments described herein. Indeed, other various 
embodiments of and modifications to the present invention, in 

10 addition to those described herein, will be apparent to those of 
ordinary skill in the art from the foregoing description and 
accompanying drawings. Thus, such other embodiments and 

modifications are intended to fall within the scope of the 
following appended claims. Further, although the present 

15 invention has been described herein in the context of a 
particular implementation in a particular environment for a 
particular purpose, those of ordinary skill in the art will 
recognize that its usefulness is not limited thereto and that 
the present invention can be beneficially implemented in any 

20 number of environments for any number of purposes. Accordingly, 
the claims set forth below should be construed in view of the 
full breadth and spirit of the present invention as disclosed 
herein. 
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